US20250385780A1
FAST PARALLELIZABLE MULTI-KEY FULLY HOMOMORPHIC ENCRYPTION BASED ON NTRU
Publication
Application
Classifications
IPC Classifications
CPC Classifications
Applicants
Jinan University
Inventors
Jian WENG, Zhen HAN, Yuan JI, Zikai SONG, Yuteng WANG, Junzuo LAI, Zhiquan LIU, Ming LI, Bingwen FENG, Jiasi WENG
Abstract
The present application describes a multi-key fully homomorphic encryption (MK-FHE) scheme that enables secure and efficient multi-party computation by integrating learning with errors (LWE), ring learning with errors (RLWE), and NTRU-based encryption primitives. The scheme supports dynamic key management, parallelizable bootstrapping, and low-overhead homomorphic operations. Key innovations include a hybrid product mechanism for merging ciphertexts across cryptographic structures, a single-key blind rotation algorithm optimized for Fourier domain operations, and a noise-refreshing procedure that bounds error growth during homomorphic evaluations. This scheme achieves quasi-linear time complexity relative to the number of participating parties, making it suitable for resource-constrained environments such as federated learning and secure cloud-based AI inference.
Figures
Description
TECHNICAL FIELD
[0001]The present disclosure relates to the field of homomorphic encryption, particularly to a multi-key fully homomorphic encryption (MK-FHE) scheme. The disclosure provides a system and method for secure multi-party computation with parallelizable bootstrapping mechanisms. This enables efficient processing of encrypted data under multiple independent keys while reducing computational and hardware resource requirements.
BACKGROUND
[0002]Fully Homomorphic Encryption (FHE) allows computations on encrypted data without decryption, enabling privacy-preserving applications such as cloud computing, federated learning, and secure artificial intelligence (AI) inference. Traditional FHE schemes assume a single public key for encryption, which limits their applicability in multi-party scenarios where participants use independent keys. Two approaches address this limitation: Threshold FHE and Multi-Key FHE (MK-FHE). Threshold FHE uses a shared public key with distributed secret keys but is restricted to static participant sets, lacking flexibility. MK-FHE, conversely, allows each participant to generate independent key pairs, supporting dynamic participation and joint evaluation of ciphertexts under different keys.
[0003]Prior MK-FHE schemes, such as those by López-Alt et al., demonstrated feasibility but were limited by static keys and bounded participant counts. Later advancements, like those by Peikert and Shiehian, introduced dynamic key support but incurred high computational overhead. NTRU-based MK-FHE schemes, valued for compact ciphertexts, faced vulnerabilities like sublattice attacks, necessitating large moduli that increased resource demands. Recent TFHE-based MK-FHE schemes improved efficiency but relied on large bootstrapping keys, making them impractical for resource-constrained environments, such as edge devices or low-power servers.
[0004]Existing MK-FHE frameworks struggle with inefficient bootstrapping for multi-key ciphertexts, failing to balance security (e.g., avoiding overstretched parameters) and performance. Bootstrapping, a critical process for refreshing ciphertexts to manage noise growth, is computationally intensive in multi-key settings, often requiring significant memory and processing power. These limitations hinder scalability and deployment in real-world applications, particularly those involving dynamic participant sets or constrained hardware.
[0005]There remains an unmet need for an MK-FHE scheme that supports dynamic key inclusion, provides efficient parallelizable bootstrapping, and maintains robust security under standard cryptographic assumptions while minimizing hardware requirements.
SUMMARY
[0006]The present disclosure addresses these challenges by providing a novel MK-FHE scheme based on NTRU, incorporating parallelizable bootstrapping and hybrid ciphertext merging. The present disclosure provides the following schemes.
- [0008]generating a unified set of public parameters defining operational moduli and dimensions for learning with errors (LWE), ring learning with errors (RLWE), and NTRU-based encryption schemes;
- [0009]producing, for each participant in a plurality of participants, independent cryptographic keys comprising a secret key pair for encryption and decryption operations, and a hybrid product key enabling merging of ciphertexts across LWE and RLWE structures;
- [0010]transforming plaintext data into an initial encrypted form under a participant's secret key, yielding a participant-specific ciphertext compatible with LWE structures;
- [0011]aggregating participant-specific ciphertexts from the plurality of participants to form a composite ciphertext operable under multiple keys;
- [0012]conducting homomorphic evaluation of a logical operation on at least two composite ciphertexts, incorporating a noise-refreshing procedure that: integrates single-element LWE-based encrypted structures with multi-element RLWE-based encrypted structures through a gadget decomposition and tensor product-based multiplication process to generate an updated composite ciphertext; and
- [0013]recovering the evaluated plaintext from the updated composite ciphertext by collaboratively applying the secret keys of all relevant participants.
[0014]Preferably, the step of generating a unified set of public parameters defining operational moduli and dimensions for LWE, RLWE, and NTRU comprises specifying an integer modulus q for LWE operations and a polynomial ring modulus Q for RLWE and NTRU operations; specifying a vector dimension n for LWE secrets and a polynomial ring dimension N for RLWE/NTRU secrets; and specifying noise distributions, gadget decomposition bases, and error bounds for all three encryption schemes.
[0015]Preferably, the secret key pair comprises an LWE secret vector
and an
[0016]RLWE secret key zi ∈ RQ; the hybrid product key is generated by sampling random elements ri←χσ
computing
computing
and outputting a product key pair (di,1, di,2), a ciphertext merging key set is NKSK={nkski}0≤i≤d−1, where
[0017]Preferably, the step of transforming plaintext data into an initial encrypted form under a participant's secret key comprises sampling a random vector
and noise term e from a distribution χσ, computing a ciphertext component
and outputting the ciphertext as a pair
wherein si is the participant's LWE secret key.
[0018]Preferably, aggregating participant-specific ciphertexts from a plurality of participants by: receiving single-party LWE ciphertexts
for 1≤j≤k, where each cj is encrypted under a distinct participant's secret key; computing a joint offset term
concatenating ciphertext vectors to form
outputting a composite ciphertext
wherein the composite ciphertext is operable under a combination of all participants' secret keys for homomorphic evaluation or decryption.
[0019]Preferably, the noise-refreshing procedure during homomorphic evaluation comprises: computing decomposed components for each index j from 0 to d−1:vj=c⊙nkskj, constructing a gadget vector v=(v0, v1, . . . , vd−1), computing
and forming intermediate ciphertext
applying HybridProduct to ê using public keys {bj}j∈[k].
[0020]Preferably, recovering the evaluated plaintext comprises: computing an inner product between the updated composite ciphertext
and the aggregated secret key vector (1,
[0021]Preferably, the noise-refreshing procedure comprises: initializing an accumulator ACC, executing blind rotation BREval in a Fourier domain, and merging ciphertexts via HybridProduct with noise variance bounded by: σ2≤k·dhp·N2·Vhp·σβ2, where k denotes the number of participants, dhp denotes gadget decomposition dimension, N denotes ring dimension of RLWE/NTRU (RQ=ZQ[X]/(XN+1)), Vhp denotes variance bound of gadget base B, σβ2 denotes variance of RLWE noise distribution.
[0022]Preferably, the blind rotation algorithm BREval comprises: scaling coefficients
initializing ACC=Xa
for 1≤i≤n−1.
[0023]Preferably, the noise-refreshing procedure executes in quasi-linear time relative to the number of parties k.
[0024]Preferably, the noise-refreshing procedure further comprises a ModSwitch operation comprising: receiving a multi-key LWE ciphertext
applying randomized rounding to each component: [x]q:Q=└qx/Q┘+B, and outputting a refreshed ciphertext
[0025]Preferably, the noise-refreshing procedure further comprises a KeySwitch operation comprising: receiving a multi-key LWE ciphertext
for each participant j, 1≤j≤k, computing
then outputting a transformed ciphertext
- [0027]a central node configured to produce and disseminate a unified set of public parameters for LWE, RLWE, and NTRU-based encryption schemes; and
- [0028]a plurality of participant nodes, each configured to: generate cryptographic keys including a secret key and a hybrid product key for ciphertext merging; convert plaintext data into a participant-specific ciphertext; contribute to aggregating participant-specific ciphertexts into a composite ciphertext; participate in homomorphic evaluation via a noise-refreshing procedure that integrates LWE and RLWE structures through gadget decomposition and tensor product-based multiplication; wherein the noise-refreshing procedure applies a Fourier transform-based rotation operation in a frequency domain.
[0029]Preferably, each participant node executes the noise-refreshing procedure by: performing tensor product-based multiplication with decomposition and vector assembly to bound error growth.
[0030]Preferably, the central node distributes parameters defining a noise distribution χ and gadget base B.
[0031]Preferably, each participant node performs the tensor product-based multiplication by constructing a vector v=(v0, . . . , v_ {d−1}) via linear combinations of decomposed ciphertext components.
[0032]According to another aspect of the present disclosure, a non-transitory computer-readable storage medium storing instructions, when executed by one or more processors, cause the processors to perform the methods described above.
- [0034]1. Cryptographic Primitives: Utilizes Learning With Errors (LWE), Ring Learning With Errors (RLWE), and NTRU-based GSW-like encryption to construct a secure foundation for multi-key operations.
- [0035]2. Single-Key Blind Rotation: Employs a blind rotation algorithm operating in the Fourier domain to manipulate encrypted data efficiently, reducing computational overhead.
- [0036]3. Hybrid Ciphertext Merging: Combines scalar NTRU ciphertexts with multi-key RLWE ciphertexts via a hybrid product mechanism, optimizing noise management and compatibility.
- [0037]4. Parallelizable Multi-Key Bootstrapping: Implements a bootstrapping algorithm that refreshes ciphertexts under multiple keys in parallel, significantly reducing computational time.
- [0038]5. Core MK-FHE Algorithms: Includes Setup, KeyGen, Enc, Dec, and NAND operations, enabling dynamic key inclusion and evaluation of arbitrary circuits with quasi-linear time complexity.
[0039]The present disclosure has the following technical advantages. The disclosure leverages gadget decomposition and NTRU-based encryption to minimize noise growth during computations. The parallelizable bootstrapping algorithm reduces time complexity to quasi-linear in the number of parties, enabling faster processing compared to prior MK-FHE schemes that scale poorly with participant count. By optimizing ciphertext sizes through NTRU's compact structure and minimizing bootstrapping key sizes via blind rotation in the Fourier domain, the disclosure reduces memory and processing demands. This enables deployment on resource-constrained devices, such as edge devices or low-power servers, without sacrificing security. The scheme supports on-the-fly key addition, allowing new parties to join computations without reconfiguring the system, enhancing flexibility for applications like federated learning. Built on standard cryptographic assumptions (e.g., decisional KDM-form NTRU problem), the scheme avoids vulnerabilities like sublattice attacks by using carefully selected parameters, ensuring security without requiring oversized moduli.
BRIEF DESCRIPTION OF THE DRAWINGS
[0040]
[0041]
[0042]
are input to a NAND gate. The output of the NAND is an MK-LWE ciphertext (in
This ciphertext then undergoes accumulator operations (ACC operations) to become an MK-RLWE ciphertext (in
The MK-RLWE is then processed by a “Merge+Extract” step to form an MK-LWE ciphertext in
This is then processed by Key Switch to another MK-LWE ciphertext in
Finally, Mod Switen is applied to output the last MK-LWE ciphertext in
[0043]
DETAILED DESCRIPTION OF THE EMBODIMENTS
[0044]The present disclosure enables secure multi-party computation by performing homomorphic operations on encrypted data under multiple independent keys, with a parallelizable noise-refreshing procedure that leverages Fourier transform-based rotation, gadget decomposition, and tensor product-based multiplication. The description details of some embodiments of the method's steps, the system's architecture, and the hardware configuration required for implementation, emphasizing efficiency improvements and suitability for resource-constrained environments.
[0045]The following detailed description, in conjunction with the accompanying drawings, elaborates the MK-FHE scheme based on NTRU, focusing on its technical implementation and improvements over prior art. The scheme integrates cryptographic primitives such as LWE, RLWE, and NTRU-based GSW-like encryption, with a focus on parallelizable bootstrapping to enable efficient multi-party computations. Some embodiments of the detailed algorithms are described below, incorporating specific operational steps, noise management techniques, and references to the illustrative figures.
[0046]A fast parallelizable multi-key fully homomorphic encryption based on NTRU according to some embodiments of the present disclosure is described below. The MK-FHE scheme includes cryptographic primitives, bootstrapping mechanisms, and core algorithms.Setup: Generates public parameters for LWE, RLWE, and NTRU.KeyGen: Each party generates LWE/RLWE/NTRU keys, plus evaluation keys for bootstrapping. Enc: Encrypts a bit into an LWE ciphertext using the party's secret key. Expand: Combines single-party LWE ciphertexts into a multi-key LWE ciphertext. Dec: Decrypts a multi-key ciphertext using all participants secret keys. NAND: Evaluates a NAND gate on two multi-key ciphertexts and refreshes via bootstrapping.
[0047]The server generates public parameters for LWE, RLWE and NTRU, taking the security parameter λ, and returns a public parameter set pp. In particular, generate the parameter ppLWE=(n, χ, σα, B, d, q), generate the parameter ppRLWE=(N, χ, σβ, B, d, a, Q), and generate the parameter ppNTRU=(N, χ, σe, B, d, Q). Finally, return the generated public parameters ppMKHE=(ppLWE, ppRLWE, ppNTRU).
[0048]Each party generates LWE/RLWE/NTRU keys, plus evaluation keys for bootstrapping. Specifically, each party samples an LWE secret key
a PLWE secret key zi ∈ RQ, and a noice vector
and compute
[0049]Generate the product key for NKSK product MK-RLWE: Firstly, using a RLWE secret key zj ∈ RQ and a NTRU secret key fi ∈RQ of party i. Sample ri←ωσ
output the vector
Sample
and a noise vector
compute
and output(di,1,di,2).
and return NKSK={nkski}0≤i≤d−1.
[0051]The evaluation key for Single-key blind rotation uses a secret key
for the first-layer LWE encryption, and a secret key ƒ ∈ RQ (aligning with the NTRU setup where fis sampled from the key distribution χs over R and projected to RQ for the second-layer NTRU-based GSW-like encryption. When computing a set of ciphertexts:
for 1≤i≤n, with these NTRU encryption operations adhering to the KDM-form NTRU assumption's mathematical space (i.e., within the ring RQ and using distributions χs, χe to ensure hardness properties as per the decisional KDM-form NTRUN,Q,
and noise
for 0≤i≤N−1, then compute
and output the keyswitch key lksk={(bi, Ai)}0≤j≤N−1.
[0053]After key Generation, Each party Publish(bi, hpki, NKSKi, EVKi, lkski).
[0054]Each party encrypts a bit into an LWE ciphertext using the party's secret key. Using a plaintext m ∈ {0,1}, party i sample
to output a LWE ciphertext
[0055]Each party Combines single-party LWE ciphertexts into a multi-key LWE ciphertext. Given
for 1≤j≤k, return the MK-LWE ciphertext
[0056]Evaluates a NAND gate on two multi-key ciphertexts and refreshes via bootstrapping. This algorithm operates on a Multi-key LWE ciphertext
First, it initializes ACC as
Then, for j from 1 to k, it invokes the BREval algorithm.
[0057]BREval((b, a),EVK) works as follows: First, iterate over i from 0 to n−1, and in each iteration, set
Then, initialize ACC as ACC=Xa
Finally, return ACC.
[0058]After that, for j from 1 to k again, the Merge algorithm is used to update ACC. The Merge algorithm functions as follows: It first iterates j from 0 to d−1, computing vj=c⊙nkskj.
[0059]Then, it constructs v=(v0, v1, . . . , vd−1). Next, for j from 0 to k, it computes
forms
and finally computes
[0060]It constructs v=(v0, v1, . . . , vd−1). Next, for j from 0 to k, it computes
forms
To compute
next, construct the MK-RLWE ciphertext
satisfying
Finally, it returns ĉ.
[0061]Next, ACC is updated by adding
Subsequently,
[0062]Then, the KeySwitch algorithm is performed. The KeySwitch (
and a set of key-switch keys {lsksj}j∈[k]. For 1≤j≤k, it computes
[0063]Then it outputs the ciphertext
after Extract, KeySwitch is performed on
[0064]Finally, the ModSwitch algorithm is applied. The ModSwitch(c) algorithm: Given a MK-LWE ciphertext
After KeySwitch, ModSwitch is applied to
[0065]Decrypts a multi-key ciphertext using all participants' secret keys. Given a MK-LWE ciphertext
and secret key
[0066]The principle of the technical schemes is further detailed below.
In the second distribution, one first samples
[0068]The decisional LWEn,q,χ assumption says that it is hard for any PPT algorithms to solve decisional LWEn,q,χ with non-negligible advantage over a random guess.
[0070]The decisional RLWEN,Q,χ assumption says that it is hard for any PPT algorithms to solve decisional RLWEN,Q,χ with non-negligible advantage over a random guess.
[0072]The decisional NTRU assumption (in the vector form) says that it is hard for any PPT algorithms to solve decisional NTRUN,Q,
[0074]The decisional KDM-form NTRUN,Q,
Gadget Decomposition
It is clear that
NTRU-Based GSW-Like Encryption
[0078]Building upon the concept of gadget decomposition described in the previous subsection, we now turn to an encryption scheme that leverages this structure in a homomorphic setting.
[0079]Definition 1 (scalar NTRU ciphertexts). Our scalar NTRU encryption of u ∈ RQ under a secret keyf ∈ RQ (that is invertible in RQ) is defined as:
where both f, g ∈ RQ are polynomials with small coefficients, which are usually taken from a ternary distribution in practice. Note that we don't multiple Δ to u in scalar NTRU encaryption different from [XZD+23](g/ƒ+Δ·u/ƒ), which is important for us to ensure the correctness of multi-key bootstrapping.
where g are noise vector with small coefficients, and d=┌logBQ┐. The external product ⊙:
between scalar NTRU ciphertexts c=NTRUQf(u) and vector NTRU ciphertexts
is define as:
[0081]Lemma 3: External Product. Let c=NTRUQ,f(u) ∈RQ with noise variance Var(g), and
[0082]The NTRU-based GSW-like encryption framework offers a compact and efficient mechanism for encoding both scalar and vector messages in a homomorphic context. Its carefully bounded noise growth, especially under external product operations, is critical for enabling deeper circuit evaluations without compromising correctness. This structure forms the cryptographic backbone of our blind rotation mechanism. In the next section, we leverage these components to construct a single-key blind rotation procedure, which serves as the foundational layer of our full multi-key bootstrapping pipeline.
Multi-key Fully Homomorphic Encryption
- [0084]Setup (1λ): Takes the security parameter λ, and returns a public parameter set pp.
- [0085]KeyGen (pp): Outputs a public key pk and secret key sk. Generates and outputs a public/secret key pair (pk, sk).
- [0086]Enc (m, pk): On input of a bit m ∈ {0,1} and public key pk, outputs a ciphertext ct ∈ {0,1}*. Each ciphertext is assumed to carry metadata indicating the identities of associated parties.
- [0087]Dec (
ct , {ski}i∈[k]): Given a ciphertextct and a set of secret keys {ski}i∈[k] corresponding to the involved users, returns a decrypted bit m ∈ {0,1}. - [0088]NAND (
ct 1,ct 2, {pki}i∈[k]): On input of two ciphertextsct 1 andct 2, along with the public keys pki of k participating parties (those associated with either input ciphertext), performs a NAND operation and outputs a new ciphertext.ct encoding the result. The output ciphertext implicitly contains the indices of the relevant users.
[0089]We adopt an extended form of (R)LWE-based encryption adapted for multi-key scenarios.
If the following holds:
then
[0091]In the RLWE case, for a message μ∈Rq and secre−keys z1, . . . , zk ∈ R, define
If
then
Multi-key Bootstrapping Supporting Parallelization
[0092]In the previous section, we introduced the fundamental building blocks of our construction, including multi-key FHE, gadget decomposition, and NTRU-based GSW-like encryption. With these tools in place, we now present our complete bootstrapping framework that supports multi-party computation and parallel homomorphic evaluation.
[0093]This chapter details the design of our multi-key bootstrapping procedure. We begin by describing a single-key blind rotation algorithm, which serves as the basis for manipulating encrypted data in the Fourier domain. We then extend this to the multi-key setting through ciphertext merging and transformation operations. Finally, we integrate all components into a unified multi-key bootstrapping algorithm that enables ciphertext refresh under multiple keys without compromising correctness or efficiency.
Single-key Blind Rotation
[0094]We design the single-key blind rotation algorithm to output a NTRU encrytion of
[0095]BRKGen(s,f): Given a secret key
for the first-layer LWE encryption, and a secret key θ ∈ RQ for the second-layer NTRU-based GSWlike encryption, the algorithm first computes a set of ciphertexts:
[0096]Then, the algorithm outputs EVK=(evk0, . . . , evkn) as the evaluation key for blind rotation.
[0097]BREval ((b, a), EVK): Given an LWE-based ciphertext
and an evaluation key EVK at inputs, computes and returns ACC as described in algorithm 1. The algorithm output a NTRU encrytion of
| Algorithm 1 BREval((b, a), EVK) |
|---|
| Input: |
| <maths id="MATH-US-00097" num="00097"><math overflow="scroll"><mrow><mrow><mi>An</mi><mo></mo><mtext> </mtext><mi>LWE</mi><mo></mo><mtext> </mtext><mi>ciphertext</mi><mo></mo><mtext> </mtext><mrow><msub><mi>LWE</mi><mrow><mi>s</mi><mo>,</mo><mi>q</mi></mrow></msub><mo>(</mo><mi>m</mi><mo>)</mo></mrow></mrow><mo>=</mo><mrow><mrow><mo>(</mo><mrow><mi>b</mi><mo>,</mo><mrow><mi>a</mi><mo>=</mo><mrow><mo>(</mo><mrow><msub><mi>a</mi><mn>0</mn></msub><mo>,</mo><mo>…</mo><mtext> </mtext><mo>,</mo><msub><mi>a</mi><mrow><mi>n</mi><mo>-</mo><mn>1</mn></mrow></msub></mrow><mo>)</mo></mrow></mrow></mrow><mo>)</mo></mrow><mo>∈</mo><msubsup><mi>ℤ</mi><mi>Q</mi><mrow><mi>n</mi><mo>+</mo><mn>1</mn></mrow></msubsup></mrow></mrow></math></maths> |
| An evaluation key EVK = (evk0, ... , evkn) |
| Output: |
| <maths id="MATH-US-00098" num="00098"><math overflow="scroll"><mrow><mi>A</mi><mo></mo><mtext> </mtext><mi>NTRU</mi><mo></mo><mtext> </mtext><mi>ciphertext</mi><mo></mo><mtext> </mtext><mrow><msub><mi>NTRU</mi><mrow><mi>Q</mi><mo>,</mo><mi>f</mi></mrow></msub><mo>(</mo><msup><mi>X</mi><mrow><mfrac><mrow><mn>2</mn><mo></mo><mi>N</mi></mrow><mi>q</mi></mfrac><mo></mo><msubsup><mrow><mo>∑</mo><mtext> </mtext></mrow><mrow><mi>i</mi><mo>=</mo><mn>0</mn></mrow><mrow><mi>n</mi><mo>-</mo><mn>1</mn></mrow></msubsup><mo></mo><msub><mi>a</mi><mi>i</mi></msub><mo></mo><msub><mi>s</mi><mi>i</mi></msub></mrow></msup><mo>)</mo></mrow></mrow></math></maths> |
| 1. for i = 0 to n − 1 do |
| 2. <maths id="MATH-US-00099" num="00099"><math overflow="scroll"><mrow><msubsup><mi>a</mi><mi>i</mi><mo>′</mo></msubsup><mo>=</mo><mrow><mfrac><mrow><mn>2</mn><mo></mo><mi>N</mi></mrow><mi>q</mi></mfrac><mo></mo><msub><mi>a</mi><mi>i</mi></msub></mrow></mrow></math></maths> |
| 3. end for |
| 4. <maths id="MATH-US-00100" num="00100"><math overflow="scroll"><mrow><mi>ACC</mi><mo>←</mo><mrow><msup><mi>X</mi><msubsup><mi>a</mi><mi>o</mi><mo>′</mo></msubsup></msup><mo>⊙</mo><msub><mi>evk</mi><mn>0</mn></msub></mrow></mrow></math></maths> |
| 5. for i = 1 to n − 1 do |
| 6. <maths id="MATH-US-00101" num="00101"><math overflow="scroll"><mrow><mi>ACC</mi><mo>←</mo><mrow><mi>ACC</mi><mo>⊙</mo><mrow><mo>[</mo><mrow><mi>𝔤</mi><mo>+</mo><mrow><mrow><mo>(</mo><mrow><msup><mi>X</mi><msubsup><mi>a</mi><mi>i</mi><mo>′</mo></msubsup></msup><mo>-</mo><mn>1</mn></mrow><mo>)</mo></mrow><mo>·</mo><msub><mi>evk</mi><mi>i</mi></msub></mrow></mrow><mo>]</mo></mrow></mrow></mrow></math></maths> |
| 7. end for |
| 8. return ACC |
[0098]Lemma 4 (Single-key Blind Rotation): Let LWE-based ciphertext
under secret key
Let N be a power of 2 and q|N. Let f ∈ RQ be a polynomial that is invertible in RQ. Then for any EVK=BRKGen(s,f), we have that
[0099]The variance of ĝ satisfies
is the noise variance for the second-layer NTRU encrytion. We denote
as the variance of ĝ. We denote
be the noise variance for the evki for 0≤i≤n−1. In line 4 of Algorithm 1, We have the value of ACC equals
with noise variance
by Lemma 3. In line 6, it is easy to see that
with noise variance bounded by
[0100]Let ci be the value of ACC after evaluating the i-th loop in line 5-7, we have
[0101]Based on Lemma 3, the increased noise of each iteration has variance dNVB·2σe. After the loop from line 5 to 7, the output ciphertext ACC equals
with variance bounded by
Merge NTRU Ciphertext into MK-RLWE Ciphertext
[0102]To support homomorphic multiplication in the multi-key setting, we introduce a new operation that merges a scalar NTRU ciphertext with a multi-key RLWE ciphertext. This operation is crucial for enabling key-consistent evaluations across ciphertexts encrypted under different keys.
[0103]We define a two-step multiplication process. First, we outline the construction of the HybridProduct and the associated noise key-switching keys (nksk), which form the foundation for our ciphertext merging mechanism. These components will be integrated into our overall bootstrapping procedure to ensure correct and efficient message multiplication.
[0104]HPKGen(zi,θi): Given a RLWE secret key zi ∈ RQ and a NTRU secret key θi ∈ RQ of party i, it generates and returns the hpki=(di,0, di,1, di,2) as follows:
[0105]Sample ri←χσ
output the vector
[0106]Sample
and a noise vector
compute
and output(di,1,di,2)
[0107]HybridProduct (
of party i and the public keys {bj}j∈[k] of parties associated with
[0108]Then compute
return an MK-RLWE ciphertext
where
[0109]The output ciphertext
[0110]Let
denotes the vanance or me noise term e′, we have
| Algorithm 2 Merge(c, <o ostyle="single">c</o>, NKSKi, hpki, {bj}j∈[k]) |
|---|
| Input: |
| A scalar NTRU ciphertext (NTRUf<sub2>i</sub2>,Q(m) = c ∈ RQ) |
| Product Key (NKSKi = {nkskj}0≤j≤d-1, hpki, {bj}j∈[k]) |
| Output: |
| 1. for j = 0 to d − 1 do |
| 2. vj = c ⊙ nkskj |
| 3. end for |
| 4. v = (v0, v1, .... , vd−1) |
| 5. for j = 0 to k do |
| 6. cj′ = g−1 (cj) · v (mod Q) |
| 7. end for |
| 8. <maths id="MATH-US-00131" num="00131"><math overflow="scroll"><mrow><mover accent="true"><mi>c</mi><mi>ˆ</mi></mover><mo>=</mo><mrow><mo>(</mo><mrow><msubsup><mi>c</mi><mn>0</mn><mo>′</mo></msubsup><mo>,</mo><msubsup><mi>c</mi><mn>1</mn><mo>′</mo></msubsup><mo>,</mo><mo>…</mo><mtext> </mtext><mo>,</mo><msubsup><mi>c</mi><mi>k</mi><mo>′</mo></msubsup></mrow><mo>)</mo></mrow></mrow></math></maths> |
| 9. <o ostyle="single">c′</o> ← HybridProduct (ĉ, hpki, {bj}j∈[k]) |
| 10. return ĉ |
[0111]NKSKGen(ƒ,B): Given a NTRU secret key ƒ and gadget base B, the algorithm compute a set of ciphertexts
for 0≤i≤d−1 and return NKSK={nkski}0≤i≤d−1.
[0112]Correctness of Algorithm 2: We show that if NTRUθ
[0113]The algorithm first compute vi for (0≤i≤d−1) in line 1-2, we have
Then in line 4, we have
where
are noise polynomials with small coefficients. Then the algorithm compute
for 0≤j≤d−1) Let
we have that
[0114]After HybridProduct in line 9, we finally have the output ciphertext
[0115]So
Lemma 5 (Merge)
be the variance of noise term e′, we have that
where
are the noise vanance of c and the noise variance of nksk, respectively.
[0117]By definition, we have c=g/ƒi+m/ƒi=NTRUƒ
with noise variance
The algorithm first compute vj for (0≤j≤d−1) in line 1-2, we have that
where
by lemma 3.
[0118]Then in line 4, we have
where
Then the algorithm compute
[0119]Let
we have that
[0121]Let e″ be the noise introduced by the HybridProduct with variance
[0122]After HybridProduct in line 9, we finally have the output ciphertext
as the variance of e′, it is bounded by
The Multi-key Bootstrapping Algorithm
[0123]We first define the LWE-based Multi-key modswitch and multi-key keyswitch that will used in Multi-key Bootstrapping as follows.
and noise
for 0≤i≤N−1, then compute
and output the key-swithch key lksk={(bi,Ai)}0≤j≤N−1.
[0125]KeySwitch(
and a set of key-switch key {lkskj}j∈[k]. For 1≤j≤k, the algorithm compute
[0126]Then output the ciphertext
[0127]Lemma 6 (Key Switching for MK-LWE): Let
be a MK-LWE ciphertext encrypting m under secret key
and ${lkskj=LKSKGen(zj,sj)}j∈[k]$ be a set of key-swithcing key. The output ciphertext
is a ciphertext that encrypts m under secret key
Moreover, the increased noise e′ has variance
[0128]At the last step of our Multi-key bootstrapping, we will need to switch the modulus of an MK-LWE ciphertext, we define the ModSwitch algorithm using randomized rounding function.
[0129]ModSwitch(c): Given a MK-LWE ciphertext
where B ∈ {0,1} is a Bernoulli random variable with Pr{B=1}=(qx/Q)−└qx/Q┘ ∈ [0,1).
[0130]Lemma 7 (ModSwitch for MK-LWE): Let
is a MK-LWE ciphertext of μ with noise e. Then c′=ModSwitch(c) is a MK-LWE ciphertext of μ in
Moreover, the noise e′ of c′ has variance
| Algorithm 2 Multi-key Bootstrapping |
|---|
| Input: |
| Product Key(({NKSKj}, {hpkj}, {bj})j∈[k]) |
| Evaluation key {EVKj} = {(evk0,j, ... , evkn,j)}j∈[k] |
| LWE key-switching key{lkskj}j∈[k] |
| Output: |
| 1. <maths id="MATH-US-00175" num="00175"><math overflow="scroll"><mrow><mrow><mrow><mrow><mrow><mrow><mrow><mi>ACC</mi><mo>←</mo><mrow><mo>(</mo><mrow><mo>-</mo><mrow><mo>⌊</mo><mfrac><mi>Q</mi><mn>8</mn></mfrac></mrow></mrow></mrow></mrow><mo>⌉</mo></mrow><mo>·</mo><msup><mi>X</mi><mrow><mfrac><mrow><mn>2</mn><mo></mo><mi>N</mi></mrow><mi>q</mi></mfrac><mo></mo><mi>b</mi></mrow></msup><mo>·</mo><msub><mrow><mo>∑</mo><mtext> </mtext></mrow><mrow><mfrac><mi>N</mi><mn>2</mn></mfrac><mo><</mo><mi>i</mi><mo><</mo><mfrac><mi>N</mi><mn>2</mn></mfrac></mrow></msub></mrow><mo></mo><msup><mi>X</mi><mi>i</mi></msup></mrow><mo>,</mo><mn>0</mn></mrow><mo>)</mo></mrow><mo>∈</mo><msubsup><mi>R</mi><mi>Q</mi><mrow><mi>k</mi><mo>+</mo><mn>1</mn></mrow></msubsup></mrow></math></maths> |
| 2. for j = 1 to k do |
| 3. ACCj′ ← BREval((b, aj), EVKj) |
| 4. end for |
| 5. For j = 1 to k do |
| 6. ACC ← Merge(ACC, ACCj′, NKSKj, hpkj, {bj}j∈[k]) |
| 7. end for |
| 8. <maths id="MATH-US-00176" num="00176"><math overflow="scroll"><mrow><mrow><mrow><mrow><mi>ACC</mi><mo>←</mo><mrow><mi>ACC</mi><mo>+</mo><mrow><mo>(</mo><mrow><mo>⌊</mo><mfrac><mi>Q</mi><mn>8</mn></mfrac></mrow></mrow></mrow></mrow><mo>⌉</mo></mrow><mo>,</mo><mn>0</mn></mrow><mo>)</mo></mrow></math></maths> |
| 9. <maths id="MATH-US-00177" num="00177"><math overflow="scroll"><mrow><mrow><msup><mover><mi>ct</mi><mo>_</mo></mover><mo>′</mo></msup><mo>←</mo><mrow><mi>Extract</mi><mo>(</mo><mi>ACC</mi><mo>)</mo></mrow></mrow><mo>∈</mo><msubsup><mi>ℤ</mi><mi>Q</mi><mrow><mrow><mi>k</mi><mo></mo><mi>N</mi></mrow><mo>+</mo><mn>1</mn></mrow></msubsup></mrow></math></maths> |
| 10. <maths id="MATH-US-00178" num="00178"><math overflow="scroll"><mrow><mrow><msup><mover><mi>ct</mi><mo>_</mo></mover><mo>′</mo></msup><mo>←</mo><mrow><mi>KeySwitch</mi><mo>(</mo><mrow><msup><mover><mi>ct</mi><mo>_</mo></mover><mo>′</mo></msup><mo>,</mo><msub><mrow><mo>{</mo><msub><mi>lksk</mi><mi>j</mi></msub><mo>}</mo></mrow><mrow><mi>j</mi><mo>∈</mo><mrow><mo>[</mo><mi>k</mi><mo>]</mo></mrow></mrow></msub></mrow><mo>)</mo></mrow></mrow><mo>∈</mo><msubsup><mi>ℤ</mi><mi>Q</mi><mrow><mrow><mi>k</mi><mo></mo><mi>n</mi></mrow><mo>+</mo><mn>1</mn></mrow></msubsup></mrow></math></maths> |
| 11. <maths id="MATH-US-00179" num="00179"><math overflow="scroll"><mrow><mrow><msup><mover><mi>ct</mi><mo>_</mo></mover><mo>′</mo></msup><mo>←</mo><mrow><mi>ModSwitch</mi><mo>(</mo><msup><mover><mi>ct</mi><mo>_</mo></mover><mo>′</mo></msup><mo>)</mo></mrow></mrow><mo>∈</mo><msubsup><mi>ℤ</mi><mi>q</mi><mrow><mrow><mi>k</mi><mo></mo><mi>n</mi></mrow><mo>+</mo><mn>1</mn></mrow></msubsup></mrow></math></maths> |
Correctness of Algorithm 3
in line 3, and
for the LWE public key and LWE secret key of party j, by the correctness of single-key blind rotaion we have
[0132]Then the algorithm mulitple scalar NTRU ciphertext
to the MK-RLWE ciphertext ACC for 1≤j≤k. Let ĉ be the value of ACC after iteration in line 7, we have
[0133]Let
Because
In line 8 the algorithm add
to ACC, so the value of ACC is a MK-RLWE encrytion that the constant trem of plaintext is
[0134]After that the algorithm extract a MK-LWE ciphertext
which satisfies
Then the MKSwitch switch the secret key from
Lemma 8 (Multi-key Boostrapping)
[0135]Let
be a MK-LWE ciphertext encryping a plaintext m under secret key (1,
where
are ine noise variances contributed respectively by the product, the keyswitch, and the modswitch in Algorithm 3.
[0137]Then after multiplying ACC′j to ACC k times (line 5-7), by lemma 5 we have that the noise variance of ACC is bounded by kσpd2, we have
[0138]By a trivial Extract in line 9, we get an MK-LWE ciphertext
Then by lemma 7 the noise vatince after ModSwitch is bounded by
We finally have the output ciphertext
Multi-key FHE Scheme
[0139]In this section, we explicitly describe an MKHE scheme based on all building blocks.
- [0141]Run LWE.Setup (180 ) to generate the parameter ppLWE=(n, χ, σα, B, d, q).
- [0142]Run RLWE.Setup (1λ) to generate the parameter ppRLWE=(N, χ, σβ, B, d, a, Q).
- [0143]Run NTRU.Setup (1λ) to generate the parameter ppNTRU=(N, χ, σe, B, d, Q).
- [0144]Return the generated public parameters ppMKHE=(ppLWE, ppRLWE, ppNTRU).
- [0146]Sample an LWE secret key
- [0147]Sample a RLWE secret key zi ∈ RQ, a noise vector
and compute
- [0148]Generate the product key for NTRU product MK-RLWE: hpki←HPKGen(zi,ƒi),NKSKi←NKSKGen(ƒi,B).
- [0149]Generate the evaluation key for Single-key blind rotation EVKi←BRKGen(si,ƒi).
- [0150]Let zi*=(zi,0,−zi,N−1, . . . ,−zi,1) ∈
N for zi=zi,0+zi,1X+. . . +ziN−1XN−1.
- [0152]Publish(bi, hpki, NKSKi, EVKi, lkski).
[0153]MKHE.Enc(si,m): Given a plaintext m ∈ 0,1,party i sample
and output a LWE ciphertext
[0154]MKHE.Expand({cj}j∈[k]): Given
1≤j≤k, return the MK-LWE ciphertext
[0155]MKHE.Dec (
and secret key
[0156]MKHE.NAND(
- [0157]1. Compute
- [0158]2. Run Multi-key bootstrapping Algorithm 3 to get the refreshed ciphertext
ct′ ,returnct′ .
- [0158]2. Run Multi-key bootstrapping Algorithm 3 to get the refreshed ciphertext
[0159]According to another aspect of the present disclosure, as shown in
[0160]Each participant node, implemented on an edge device (e.g., Raspberry Pi 4 with 4 GB RAM, quad-core ARM Cortex-A72 processor, and 32 GB SD card storage), is configured to:
[0161]Generate Cryptographic Keys: Produce a secret key pair (si,zi), a hybrid product key hpki, and evaluation keys, stored in a memory (e.g. 256 MB of encrypted RAM).
[0162]Encrypt Plaintext: Convert plaintext bits into LWE ciphertext
using a cyptographic co-processor for modular arithmetic.
[0163]Aggregate Ciphertexts: Contribute to forming the composite ciphertext
- [0165]Fourier Transform-Based Rotation: Apply blind rotation in the Fourier domain, using a GPU (e.g., NVIDIA Jetson Nano) to achieve O(n log n) complexity for polynomial degree n.
- [0166]Tensor Product-Based Multiplication: Perform tensor product-based multiplication with gadget decomposition and vector assembly to bound error growth. Construct a gadget vector v=(v0, v1, ···, vd−1) via linear combinations of decomposed NTRU ciphertext components, computed on a CPU with, for example, 2 MB cache. The tensor products are assembled into an updated RLWE ciphertext, ensuring noise variance
[0167]The system's parallel execution across participant nodes, supported by multi-core processors and distributed computing frameworks (e.g., Apache Spark), achieves quasi-linear complexity, enabling scalability for large k.
Hardware Implementation
- [0169]Central Node: A cloud server with a 64-bit multi-core CPU (e.g., AMD EPYC with 16 cores), 32 GB DDR4 RAM, 500 GB NVMe SSD storage, and a 10 Gbps network interface for parameter distribution and coordination. The server runs a Linux-based OS (e.g., Ubuntu 22.04) with cryptographic libraries (e.g., OpenFHE, SEAL) for parameter generation and communication.
- [0170]Participant Nodes: Edge devices or laptops with quad-core 64-bit processors (e.g., Intel Core i5 or ARM Cortex-A72), 4-8 GB RAM, 32-64 GB flash storage, and a cryptographic co-processor (e.g., TPM or AES-NI support). These devices support FFT computations via GPU accelerators (e.g., NVIDIA CUDA cores) and store keys and ciphertexts in encrypted memory partitions.
- [0171]Network Infrastructure: A secure network with TLS 1.3 encryption, 1 Gbps bandwidth, and low-latency connections (e.g., <50 ms) to ensure efficient key and ciphertext exchange.
- [0172]Storage Requirements: Approximately 1 MB per LWE ciphertext, 2-4 MB per RLWE/NTRU ciphertext, and 10 MB for key storage per node, enabling deployment on resource-constrained devices like IoT gateways.
- [0173]Power Consumption: Participant nodes operate within a 5-10 W power envelope, suitable for battery-powered edge devices, while the central node consumes 100-200 W, typical for cloud servers.
[0174]This hardware configuration supports the method's efficiency, with blind rotation greatly reducing computation time compared to polynomial arithmetic, and NTRU's compact structures reducing memory usage compared to TFHE-based schemes. The system's design enables deployment in resource-constrained environments, such as edge computing networks for IoT or mobile devices.
[0175]The descriptions, examples, methods and materials presented in the claims and the specification are not to be construed as limiting but rather as illustrative only.
[0176]Meanings of technical and scientific terms used herein are to be commonly understood as by one of ordinary skill in the art to which the disclosure belongs, unless otherwise defined. The present disclosure may be implemented in the testing or practice with methods and materials equivalent or similar to those described herein.
[0177]While the disclosure has been described with respect to a limited number of embodiments, these should not be construed as limitations on the scope of the disclosure, but rather as exemplifications of some of the preferred embodiments. Other possible variations, modifications, and applications are also within the scope of the disclosure. Accordingly, the scope of the disclosure should not be limited by what has thus far been described, but by the appended claims and their legal equivalents.
Claims
What is claimed is,:
1. A computer-implemented method for multi-key fully homomorphic encryption, comprising:
generating a unified set of public parameters defining operational moduli and dimensions for learning with errors (LWE), ring learning with errors (RLWE), and NTRU-based encryption schemes;
producing, for each participant in a plurality of participants, independent cryptographic keys comprising a secret key pair for encryption and decryption operations, and a hybrid product key enabling merging of ciphertexts across LWE and RLWE structures;
transforming plaintext data into an initial encrypted form under a participant's secret key, yielding a participant-specific ciphertext compatible with LWE structures;
aggregating participant-specific ciphertexts from the plurality of participants to form a composite ciphertext operable under multiple keys;
conducting homomorphic evaluation of a logical operation on at least two composite ciphertexts, incorporating a noise-refreshing procedure that: integrates single-element LWE-based encrypted structures with multi-element RLWE-based encrypted structures through a gadget decomposition and tensor product-based multiplication process to generate an updated composite ciphertext; and
recovering the evaluated plaintext from the updated composite ciphertext by collaboratively applying the secret keys of all relevant participants.
2. The method of
3. The method of
and an RLWE secret key zi ∈ RQ; the hybrid product key is generated by sampling random elements ri←χσ
computing
computing
and outputting a product key pair (di,1, di,2), a ciphertext merging key set is NKSK={nkski}2≤i≤d−1, where
4. The method of
and noise term e←χσ computing a ciphertext component
outputung the ciphertext as a pair
wherein si is the participant's LWE secret key.
5. The method of
for 1≤j≤k, where each cj is encrypted under a distint participant's secret key; computing a joint offset term
concatenating ciphertext vectors to form
outputting a composite ciphertext
wherein the composite ciphertext is operable under a combination of all participants' secret keys for homomorphic evaluation or decryption.
6. The method of
and forming intermediate ciphertexts ĉ=(c′0, c′1, . . . , c′k), applying HybridProduct to ĉ using public keys {bj}j∈[k].
7. The method of
computing an inner product between the updated composite ciphertext
and the aggregated secret key vector (1,
8. The method of
9. The method of
scaling coefficients
initializing ACC=Xα
for 1≤i≤n−1.
10. The method of
11. The method of
12. The method of
for each paritipant j, 1≤j≤k, computing
then outputting a transformed ciphertext
13. A computing system configured for multi-key fully homomorphic encryption, comprising:
a central node configured to produce and disseminate a unified set of public parameters for LWE, RLWE, and NTRU-based encryption schemes; and
a plurality of participant nodes, each configured to: generate cryptographic keys including a secret key pair and a hybrid product key for ciphertext merging; convert plaintext data into a participant-specific ciphertext; contribute to aggregating participant-specific ciphertexts into a composite ciphertext; participate in homomorphic evaluation via a noise-refreshing procedure that integrates LWE and RLWE structures through gadget decomposition and tensor product-based multiplication; wherein the noise-refreshing procedure applies a Fourier transform-based rotation operation in a frequency domain.
14. The system of
15. The system of
16. The system of
17. A non-transitory computer-readable storage medium storing instructions that, when executed by one or more processors, cause the processors to perform the method of